Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Disallowing characters in a password?

Tags:

security

php

passwords

mysql

Is there something special about characters that should be allowed/not allowed in a password?

I store the password in the db hashed/salted and use PDO to prevent against injection. Is what I'm doing enough? Recently I came across a system that disallowed a number of characters, don't remember all of them, but one was the ampersand &. Were they doing it for anti-database injection reasons, or is there something else I'm missing? Should password characters be restricted to a certain set of characters or no need?

like image 452
cooper Avatar asked Jul 03 '10 08:07

cooper

2 Answers

There is no technical reason to disallow any characters in a password. I guess in the case you describe, they would allow only alpha-numeric characters to avoid problems on the user's side (say, by entering a character that isn't available on keyboards in another country).

Many providers and sites force users to choose very complex passwords containing a minimum number numbers and, sometimes, evenb special characters to prevent brute-forcing or dictionary attacks.

I don't think forcing people to choose a complex password is wise. Passwords you can't remember, you will write down somewhere, which is often creating a much bigger security risk in real life.

A simple rate limit in the login system (e.g. deny access for 15 minutes after 3 failed login attempts) takes the edge off the brute-forcing threat much more elegantly.

One doesn't have to agree 100% with it, but I found this provocative paper on the subject from Microsoft Research very interesting. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users

From the abstract:

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They choose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

like image 135
Pekka Avatar answered Oct 12 '22 02:10

Pekka

When I enter passwords, I normally like to write longer sentences that i can remember instead of p"%&/k1 or the like.

So make sure you allow your users to write passwords longer than 10signs. It always frustrates me, when I am forced to enter a short password with special characters instead of a longer one that would be more memorable and safer.

like image 29
SwissCoder Avatar answered Oct 12 '22 02:10

SwissCoder
Sign in to Comment

Related questions

Laravel - Composer detected issues in your platform after updating it
How do you copy a PHP object into a different object type
How does MediaWiki compose the image paths?
Fetching attachments from gmail via either python or php
How does OOP manage to 'include' classes stored in different files [closed]
Passing arguments to the Class Constructor
How to delay login attempts after too many tries (PHP)
Symfony (PHP framework) and MongoDB ( or any json-based database) [closed]
MySQL: keep server timezone or user timezone?
Mysql password hashing method old vs new
Unpack/extract zip file with PHP without relying on any extension
What does a Data Mapper typically look like?
Unsetting a variable vs setting to ''
What is "enough sanitization" for a URL [duplicate]
Is this how the Factory Pattern works?
Does anyone know of a spell checker plugin for ckeditor that uses aspell or a similar local service instead of spellchecker.net? [closed]
Building a CalDAV-server in PHP?
Why do exceptions usually have the suffix 'Exception' in the class name?
How do I install Pdftk on my server?
Is it common to store a users password in a PHP Session?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!